Malware removal method and system, and computer storage medium

ABSTRACT

A method, device, and a computer storage medium are provided. The method includes: starting a core file and building an environment after running an operation system, then loading a driver in the built environment; reading a configuration file by the driver to obtain a path of a malware; and deleting a registry and file of the malware in a kernel layer according to the path. The device includes: a start loading module configured to start a core file and build an environment after running an operation system, then load a driver in the built environment; a path reading module configured to calculate a configuration file by the driver to obtain a path of a malware; and a program deleting module configured to delete a registry and file of the malware in a kernel layer according to the path.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation application of InternationalApplication No. PCT/CN2013/076767, filed Jun. 5, 2013 and claims foreignpriority to Chinese Patent Application No. 201210186501.4, filed inChina Patent Office on Jun. 7, 2012, the entire disclosures of which areincorporated herein by reference in their entireties as a part of thisapplication.

FIELD OF THE INVENTION

The present disclosure relates to computer security technologies, andmore particularly relates to a malware removal method and system, andcomputer storage medium.

BACKGROUND OF THE INVENTION

With the rapid development of various computer applications, malwaresrun on the computer spread and are stubbornly resided on the computer,such that the security is serious harmed. In order to reside in theoperating system of a computer, the malwares have developed a variety oftechniques to protect themselves, therefore they cannot be removed byconventional security software.

The conventional security software usually remove the malware by thefollowing manners: (1) force deleting the registry or file of themalware in a driver layer; however, after deletion, the malware canperform write-back, thus the registry or file of the malware cannot beforce deleted; (2) using an accounting pit file to prevent thewrite-back of the malware, which has the highest system privilege in thekernel and a sharing open is prohibited, however, when being aware ofthe write-back failure, the malware will be renamed and re-createwrite-back file until the write-back is successful; (3) writing the filepath of the malware in the registry, and deleting the malware accordingto the file path in the registry during the start up of the system,however, the malware can monitor the registry key during the start up,and it can delete the registry key as long as it finds the protectedpath exists in the registry key, such that the deletion of the malwareis failure; (4) deleting the write-back process of the malware, and thendeleting the corresponding registry and file of the malware, however, ifthe malware enters the system process and write-back the file orregistry in the system process, the deletion of the write-back processwill fail, so that the registry and the file of the malware cannot bedeleted.

As for the conventional security software, the malware uses protectivetechnology or has logic to bypass deleting of the security software,which results in that the security software cannot do anything to themalware resident in the operating system even if it has been found,which greatly reducing the security.

SUMMARY OF THE INVENTION

Accordingly, it is necessary to address the problem of poor security andprovide a malware removal method which can increase the security.

In addition, it is necessary to provide a malware removal device whichcan increase the security.

Furthermore, it is necessary to provide a computer storage medium whichcan increase the security.

A method of removing malware includes the following steps:

starting a core file and building an environment after running anoperation system, then loading a driver in the built environment;

reading a configuration file by the driver to obtain a path of amalware; and

deleting a registry and file of the malware in a kernel layer accordingto the path of the malware.

A method of removing malware includes the following steps:

reading by a driver to obtain a registry path of a malware, when anoperation system being shutting down and releasing a registry; and

calling a registry uninstall function to delete a registry of themalware according to the registry path of the malware.

In one embodiment, the method further includes:

reading by the driver to obtain a file path of the malware, when theoperation system being shutting down and releasing a file system; and

calling a file uninstall function to delete a file of the malwareaccording to the file path of the malware.

A malware removal device includes:

a start loading module configured to start a core file and build anenvironment after running an operation system, then load a driver in thebuilt environment;

a path reading module configured to calculate a configuration file bythe driver to obtain a path of a malware; and

a program deleting module configured to delete a registry and file ofthe malware in a kernel layer according to the path of the malware.

A malware removal device includes:

a registry releasing module configured to read by a driver to obtain aregistry path of a malware, when an operation system being shutting downand releasing a registry; and

a registry uninstalling module configured to call a registry uninstallfunction to delete a registry of the malware according to the registrypath of the malware.

A computer storage medium for storing computer-executable instructionsis used for controlling a method of removing malware, wherein the methodincludes:

starting a core file and building an environment after running anoperation system, then loading a driver in the built environment;

reading a configuration file by the driver to obtain a path of amalware; and

deleting a registry and file of the malware in a kernel layer accordingto the path of the malware.

A computer storage medium for storing computer-executable instructionsis used for controlling a method of removing malware, wherein the methodincludes:

reading by a driver to obtain a registry path of a malware, when anoperation system being shutting down and releasing a registry; and

calling a registry uninstall function to delete a registry of themalware according to the registry path of the malware.

In the forgoing malware removal method, device, and computer storagemedium, the driver is loaded when the core file is run during the startup of the operating system, and the registry and file of the malware aredeleted in the kernel layer according to the path of the malware, suchthat the malware will be removed before it has not yet been run. Inaddition, the driver run in the kernel layer has a higher systemprivilege than that run in the application layer, such that it can forcedelete the malware and increase the security.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow chart of a method of removing malware according to anembodiment;

FIG. 2 is a schematic drawing showing the method of removing malwareaccording to an embodiment;

FIG. 3 is a flow chart of a method of removing malware according toanother embodiment;

FIG. 4 is a flow chart of a method of removing malware according to yetanother embodiment;

FIG. 5 is a schematic drawing showing the method of removing malwareaccording to another embodiment;

FIG. 6 is a block diagram showing a malware removal device according toan embodiment;

FIG. 7 is a block diagram showing a malware removal device according toanother embodiment; and

FIG. 8 is a block diagram showing a malware removal device according toyet another embodiment.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Referring to FIG. 1, in one embodiment, a method of removing malwareincludes the following steps:

Step S110, after an operation system (operating system) is run, a corefile is started to build an environment, a driver is then loaded in thebuilt environment.

In the illustrated embodiment, after the operation system is started,following procedures will be executed: reading master boot record (MBR),reading DOS boot record (DBR), initializing registry and NT Loader(NTLDR), running core file (NTOSKRNL.EXE), initializing the systemvariables (SMSS.EXE) and loading the user login process (WINLOGON.EXE).The core file is substantially the program NTOSKRNL.EXE. Theinitialization of the registry and the file system is completed alongwith the startup of the operating system. After the registry and thefile system are initialized by the program NTOSKRNL.EXE, a kernelcalling stage is entered to provide a kernel driving environment for thedrivers, such that the loaded drivers can be run in the kernel layer.

Step S130, the driver reads a configuration file to obtain a path of amalware.

In the illustrated embodiment, the driver is configured to execute theoperation of removing the malware. The driver is triggered by callingduring the running of the core file to execute the operation of removingthe malware. The configuration file has recorded the verified malware tobe deleted and a corresponding path of the malware.

In one embodiment, the step S130 includes: traversing the configurationfile via the driver, and reading to obtain a registry path and a filepath of the malware, respectively.

In the illustrated embodiment, the malware includes a registry and afile, which are usually recorded in different locations. Accordingly,the path read from the configuration file includes the registry path andthe file path of the malware.

Step S150, the registry and file of the malware are deleted in a kernellayer according to the path of the malware.

In the illustrated embodiment, the driver run in the kernel layer hasthe highest privileges within the operating system priority, it canaccess any memory and hardware directly without any restrictions, as aresult, it can delete the registry and file of the malware via a forcedeleting file interface of the kernel layer. The force deleting fileinterface is a bottom level interface built on the driver having thehighest privileges within the operating system priority, and it canbypass the system security check mechanism. Compared with the deletinginterface within the application level, the force deleting fileinterface will not result in a deleting failure due to the systemsecurity check mechanism, such that the force deleting of the registryand the file of the malware is achieved.

In the described malware removal method, the execution of removing themalware is triggered by the driver running in the kernel layer when thecore file is run during the start up of the operating system, at thattime, the malware has not been run yet because the operating system hasjust completed the registry and file initialization. Accordingly, thecurrently executed malware removal procedure is able to prevent thewrite-back of the malware to the registry and file of the malware isremoved completely, thus avoiding a removing failure of the malware.

Additionally, in the conventional malware removing method, the malwareis deleted after running the program SMSS.EXE after the completion ofkernel calling stage running the core file, when the operating systemhas completed the registry and file initializations (i.e., when SMSS.EXEis completed). However, since the malware has already been run at thattime after completion of the SMSS.EXE, the write-back of the malwarecannot be avoided, which consequently leads to a removing failure. Inthe present malware removal method, the malware is removed immediatelyafter the completion of the kernel calling stage running the core fileand before completion of registry and file initialization (i.e., beforecompletion of or during the SMSS.EXE), as long as the core file is run.As shown in FIG. 2, after the operation system is started, followingprocedures will be executed: reading master boot record (MBR), readingDOS boot record (DBR), initializing registry and NT Loader (NTLDR),running core file (NTOSKRNL.EXE), initializing the system variables(SMSS.EXE) and loading the user login process (WINLOGON.EXE). The driveris loaded after running NTOSKRNL.EXE, and the malware is deleted as soonas the core file is run immediately after the completion of the kernelcalling stage running the core file and before completion of registryand file initialization (i.e., before completion of or during theSMSS.EXE), when running the program SMSS.EXE. Since the removingprocedure is performed during the start up of the operating system assoon as the core file is run, the write-back of the malware isskillfully avoided.

Referring to FIG. 3, in another embodiment, the method of removingmalware further includes the following steps:

Step S210, when the operation system is shut down and releases a filesystem, a registry path of the malware is read and obtained by thedriver.

In the illustrated embodiment, when the operating system is started, theloading of registry and file system is executed. Correspondingly, whenthe operating system is shut down, the unloading of the registry and thefile system is triggered, so as to release the registry and the filesystem in the memory. When releasing the registry, the registry path ofthe malware is read immediately, and the deleting operation of theregistry of the malware is then executed. Accordingly, the registry ofthe malware can be removed during the shutdown of operating system andreleasing of the registry, such that the malware cannot write-back theregistry, and the registry of the malware is removed completely.

Step S230, the registry of the malware is deleted by calling a registryuninstall function according to the registry path of the malware.

In the illustrated embodiment, when reading the registry path of themalware, the deletion of the registry of the malware is executed by thedriver calling a registry uninstall function. The registry uninstallfunction is a registry uninstall callback routine.

In another embodiment, prior to step S230, the method further includes:pre-registering the registry uninstall function.

In the embodiment, the registry uninstall function is pre-registered,such that during the forgoing registry removing process, the registryuninstall function can be automatically called along with the shutdownprocedure of the operating system, and the registry uninstall functioncan be smoothly called when the registry is released.

Referring to FIG. 4, in another embodiment, the method of removingmalware further includes the following steps.

S310, when the operation system is shut down and releases a file system,a file path of the malware is read and obtained by the driver.

In the illustrated embodiment, after releasing the registry, the filesystem will be unloaded, such that the file system will be released fromthe memory. When the file system is released, the file path of themalware will be read by the driver, deleting operation of the file ofthe malware is then executed immediately during releasing the filesystem, thus the write-back of the malware is prevented and the file ofthe malware is removed completely.

Step S330, the file of the malware is deleted by calling a fileuninstall function according to the file path of the malware.

In the illustrated embodiment, when reading the file path of themalware, the deletion of the file of the malware is executed by thedriver calling a file uninstall function. The file uninstall function isa file uninstall callback routine.

In another embodiment, prior to step S330, the method further includes:pre-registering the file uninstall function.

In the embodiment, the file uninstall function is pre-registered, suchthat during the forgoing registry removing process, the file uninstallfunction can be automatically called along with the shutdown procedureof the operating system, and the file uninstall function can be smoothlycalled when the file system is released.

Referring to FIG. 5, in an embodiment, when the operating system startsto be shut down, the registry is firstly unloaded. When releasing theregistry, the registry path of the malware is read immediately, and thedeleting operation of the registry of the malware is then executed. Whenthe releasing of the registry is completed, the file system is unloaded.When the file system is released, the file path of the malware will beread by the driver, and the file system and the file of the malware arethen deleted.

In the forgoing malware removal method, during the shutdown process ofthe operating system, the malware is removed by the driver along withthe releasing of the registry and the file system. Since the registryand the file system have already been released by the operating system,the malware cannot write-back the registry and the file, such that themalware can be successfully removed, thus greatly increasing thesecurity of the system.

In an embodiment, the malware successfully removed during the shutdownprocess of the operating system is usually by a program driven by thekernel.

The device which can remove the malware during the shutdown process ofthe operating system can be executed independently, in other words, theremoval of the malware can be executed during the shutdown of theoperating system rather than during the running of the operating system,therefore, a method for removing the malware during the shutdown of theoperating system is provided.

In the forgoing malware removal method, the malware can be removed bythe driver running the core file during the start up of the operatingsystem. If the removing is not successful at this time, the malware willbe removed again during the shutdown of the operating system along withthe releasing of the registry and file system, such that the malware canbe removed. In other words, it is an extra safe to remove the malwareduring both the start up and shutdown of the operating system, thusgreatly increasing the security.

Furthermore, in the actual application process, the two method ofremoving the malware during the start up and the shutdown of theoperating system can be flexibly chosen dependent on the security.

Referring to FIG. 6, in one embodiment, a malware removal deviceincludes a start loading module 110, a path reading module 130, and aprogram deleting module 150.

The start loading module 110 is configured to start a core file andbuild an environment after running an operation system, then load adriver in the built environment.

In the illustrated embodiment, after the operation system is started,following procedures will be executed: reading master boot record (MBR),reading DOS boot record (DBR), initializing registry and NT Loader(NTLDR), running core file (NTOSKRNL.EXE), initializing the systemvariables (SMSS.EXE) and loading the user login process (WINLOGON.EXE).The core file is substantially the program NTOSKRNL.EXE. Theinitialization of the registry and the file system is completed alongwith the startup of the operating system. After the registry and thefile system are initialized by the program NTOSKRNL.EXE, a kernelcalling stage is entered to provide a kernel driving environment for thedrivers, such that the loaded drivers can be run in the kernel layer.

The path reading module 130 is configured to calculate a configurationfile by the driver to obtain a path of a malware.

In the illustrated embodiment, the driver is configured to execute theoperation of removing the malware. The driver is triggered by callingduring the running of the core file to execute the operation of removingthe malware. The configuration file has recorded the verified malware tobe deleted and a corresponding path of the malware.

In alternative embodiment, the path reading module 130 is furtherconfigured to traverse the configuration file via the driver, and readto obtain a registry path and a file path of the malware, respectively.

In the illustrated embodiment, the malware includes a registry and afile, which are usually recorded in different locations. Accordingly,the path read by the path reading module 130 from the configuration fileincludes the registry path and the file path of the malware.

The program deleting module 150 is configured to delete a registry andfile of the malware in a kernel layer according to the path of themalware.

In the illustrated embodiment, the driver run in the kernel layer hasthe highest privileges within the operating system priority, it canaccess any memory and hardware directly without any restrictions, as aresult, it can delete the registry and file of the malware via a forcedeleting file interface of the kernel layer. The force deleting fileinterface is a bottom level interface built on the driver having thehighest privileges within the operating system priority, and it canbypass the system security check mechanism. Compared with the deletinginterface within the application level, the force deleting fileinterface will not result in a deleting failure due to the systemsecurity check mechanism, such that the force deleting of the registryand the file of the malware is achieved.

In the described malware removal device, the execution of removing themalware is triggered by the driver running in the kernel layer when thecore file is run during the start up of the operating system, at thattime, the malware has not been run yet because the operating system hasjust completed the registry and file initialization. Accordingly, thecurrently executed malware removal procedure is able to prevent thewrite-back of the malware to the registry and file of the malware isremoved completely, thus avoiding a removing failure of the malware.

Additionally, in the conventional malware removing method, the malwareis deleted after running the program SMSS.EXE after the completion ofkernel calling stage running the core file, when the operating systemhas completed the registry and file initializations (i.e., when SMSS.EXEis completed). However, since the malware has already been run at thattime after completion of the SMSS.EXE, the write-back the malware cannotbe avoided, which consequently leads to a removing failure. In thepresent malware removal device, the malware is removed immediately aslong as the core file is run, thus the write-back of the malware isskillfully avoided.

Referring to FIG. 7, in one embodiment, the malware removal devicefurther includes a registry releasing module 210 and a registryuninstalling module 230.

The registry releasing module 210 is configured to read by the driver toobtain a registry path of the malware, when the operation system beingshutting down and releasing the registry.

In the illustrated embodiment, when the operating system is started, theloading of registry and file system is executed. Correspondingly, whenthe operating system is shut down, the unloading of the registry and thefile system is triggered, so as to release the registry and the filesystem in the memory. When releasing the registry, the registry path ofthe malware is read by the registry releasing module 210 immediately,and the deleting operation of the registry of the malware is thenexecuted. Accordingly, the registry of the malware can be removed duringthe shutdown of operating system and releasing of the registry, suchthat the malware cannot write-back the registry, and the registry of themalware is removed completely.

The registry uninstalling module 230 is configured to call a registryuninstall function to delete the registry of the malware according tothe registry path of the malware.

In the illustrated embodiment, when reading the registry path of themalware, the deletion of the registry of the malware is executed by theregistry uninstalling module 230 calling a registry uninstall functionvia the driver. The registry uninstall function is a registry uninstallcallback routine.

Referring to FIG. 8, in another embodiment, the malware removal devicefurther includes a file releasing module 310 and a file uninstallingmodule 330.

The file releasing module 310 is configured to read by the driver toobtain a file path of the malware, when the operation system beingshutting down and releasing a file system.

In the illustrated embodiment, after releasing the registry, the filesystem will be unloaded, such that the file system will be released fromthe memory. When the file system is released, the file path of themalware will be read by the file releasing module 310 via the driver,deleting operation of the file of the malware is then executedimmediately during releasing the file system, thus the write-back of themalware is prevented and the file of the malware is removed completely.

The file uninstalling module 330 is configured to call a file uninstallfunction to delete the file of the malware according to the file path ofthe malware.

In alternative embodiment, the malware removal device further includes aregistering module configured to pre-register the registry uninstallfunction and pre-register the file uninstall function.

In the illustrated embodiment, the registering module can pre-registerthe registry uninstall function and the file uninstall function, suchthat during the forgoing registry removing process, the registryuninstall function and the file uninstall function can be automaticallycalled along with the shutdown procedure of the operating system, andthe registry uninstall function and the file uninstall function can besmoothly called when the registry and file system are released.

In the forgoing malware removal device, during the shutdown process ofthe operating system, the malware is removed by the driver along withthe releasing of the registry and the file system. Since the registryand the file system have already been released by the operating system,the malware cannot write-back the registry and the file of the malwareis removed completely, such that the malware can be successfullyremoved, thus greatly increasing the security of the system.

In an embodiment, the malware successfully removed during the shutdownprocess of the operating system is usually by a program driven by thekernel.

The device which can remove the malware during the shutdown process ofthe operating system can be executed independently, in other words, theremoval of the malware can be executed during the shutdown of theoperating system rather than during the running of the operating system,therefore, a device for removing the malware during the shutdown of theoperating system is provided.

In the forgoing malware removal device, the malware can be removed bythe driver running the core file during the start up of the operatingsystem. If the removing is not successful at this time, the malware willbe removed again during the shutdown of the operating system along withthe releasing of the registry and file system, such that the malware canbe removed. In other words, it is an extra safe to remove the malwareduring both the start up and shutdown of the operating system, thusgreatly increasing the security.

Furthermore, in the actual application process, the two method ofremoving the malware during the start up and the shutdown of theoperating system can be flexibly chosen dependent on the security.

In the forgoing malware removal method, device, and computer storagemedium, the driver is loaded when the core file is run during the startup of the operating system, and the registry and file of the malware aredeleted in the kernel layer according to the path of the malware, suchthat the malware will be removed before it has not yet been run. Inaddition, the driver run in the kernel layer has a higher systemprivilege than that run in the application layer, such that it can forcedelete the malware and increase the security.

Although the present invention has been described with reference to theembodiments thereof and the best modes for carrying out the presentinvention, it is apparent to those skilled in the art that a variety ofmodifications and changes may be made without departing from the scopeof the present invention, which is intended to be defined by theappended claims.

What is claimed is:
 1. The method of removing malware in a computer thatexecutes an operating system, the method comprising: during start up ofthe operating system, starting a core file and building a kernel driverenvironment in a kernel layer for same operating system, and loading adriver in the built kernel driver environment before completion ofregistry and file systems initialization; reading, by the driver in thekernel layer, a configuration file to obtain a registry and file path ofa malware; and deleting, by the driver in the kernel layer before thecompletion of registry and file systems initialization, a registry andfile of the malware according to the obtained registry and file path ofthe malware, in response to the deleting being unsuccessful, reading bythe driver in the kernel layer to obtain the registry path of themalware, when the operating system shutting down and releasing theregistry system for the operating system; and calling a registryuninstall function to delete the registry of the malware according tothe registry path of the malware.
 2. The method according to claim 1,wherein the deleting, by the driver in the kernel layer before thecompletion of registry and file systems initialization, the registry andfile of the malware, comprises: deleting the registry and file of themalware via the driver run in the kernel layer utilizing a forcedeleting file interface of the kernel layer.
 3. The method according toclaim 1, wherein the reading, by the driver in the kernel layer, theconfiguration file comprises: traversing the configuration file toobtain the registry path and the file path of the malware, respectively.4. The method according to claim 1, further comprising: reading by thedriver in the kernel layer to obtain the file path of the malware, whenthe operating system shutting down and releasing the file system for theoperating system; and calling a file uninstall function to delete thefile of the malware according to the file path of the malware.
 5. Themethod according to claim 4, wherein prior to the calling the registryuninstall function to delete the registry of the malware according tothe registry path of the malware, the method further comprises:pre-registering the registry uninstall function; prior to the calling afile uninstall function to delete the file of the malware according tothe file path of the malware, the method further comprises:pre-registering the file uninstall function.
 6. A malware removal devicecomprising: non-transitory computer readable storage medium to storeregistry(ies), files and program(s), and computer hardware configured,including configured by the program(s), to implement modules to: duringstart up of an operating system program, start a core file and buildkernel driver environment in a kernel layer for same operating system,and load a driver in the built kernel driver environment beforecompletion of registry and file systems initialization; read, by thedriver in the kernel layer, a configuration file to obtain a registryand file path of a malware; perform a deletion, by the driver in thekernel layer before the completion of registry and file systemsinitialization, of a registry and file of the malware according to theobtained registry and file path of the malware; and in response to thedeletion being unsuccessful, read by the driver in the kernel layer toobtain the registry path of the malware, when the operating systemshutting down and releasing the registry system for the operatingsystem; and call a registry uninstall function to delete the registry ofthe malware according to the registry path of the malware.
 7. Themalware removal device according to claim 6, wherein the deletion, bythe driver in the kernel layer before the completion of registry andfile systems initialization, deletes the registry and file of themalware via the driver run in the kernel layer by utilizing a forcedeleting file interface of the kernel layer.
 8. The malware removaldevice according to claim 6, wherein the reading the configuration filetraverses the configuration file via the driver, to obtain the registrypath and the file path of the malware, respectively.
 9. The malwareremoval device according to claim 6, the computer hardware configurationfurther implements modules to: read by the driver in the kernel layer toobtain the file path of the malware, when the operating system shuttingdown and releasing the file system for the operating system; and call afile uninstall function to delete the file of the malware according tothe file path of the malware.
 10. The malware removal device accordingto claim 9, the computer hardware configuration further implementsmodules to: pre-register the registry uninstall function andpre-register the file uninstall function.
 11. A non-transitory computerstorage medium for storing computer-executable instructions used forcontrolling a method of removing malware in a computer that executes anoperating system, wherein the method comprises: during start up of theoperating system, starting a core file and building a kernel driverenvironment in a kernel layer for same operating system, and loading adriver in the built kernel driver environment before completion ofregistry and file systems initialization; reading, by the driver in thekernel layer, a configuration file to obtain a registry and file path ofa malware; deleting, by the driver in the kernel layer before thecompletion of registry and file systems initialization, a registry andfile of the malware according to the obtained registry and file path ofthe malware; and in response to the deleting being unsuccessful, whilethe operating system shuts down and releases the registry system for theoperating system, calling a registry uninstall function to control adeletion of a registry of the malware according to the registry path ofthe malware.